This specification relates to network security.
A network is a system of computer assets in data communication. Many networks are private networks, e.g., a particular network may be an internet protocol based network that is logically independent from other internet protocol based networks. An enterprise network of a company that is connected to the Internet through a router and firewall is one example of such a private network.
One or more security provisioning systems can be used to protect each network from attacks by malicious software and users. For example, network security systems includes network sensors that are deployed on the edge of a protected network or within the network, and one or more network security servers in data communication with the network sensors. The sensors detect new assets attempting to gain access to the network and monitor assets that have been granted access to the network. The sensors report to the network security server(s) when new assets are attempting to gain access to the network, and report actions taken by the assets that are attempting to join the network or that are already on the network. The sensors can take actions with respect to an asset immediately, or can take actions with respect to the asset as determined by the network security server(s), depending upon a number of security related factors.
Often an attack on a network is preceded by, or begins with, a series of probes on the network. For example, an attacking device, such as malicious software or a bot, may attempt to connect to multiple different ports in a network to discover services. Multiple ports may exist on a particular host, and multiple hosts may serve a particular port. Accordingly, such probing actions are often burst-like in nature.
Current algorithms for probing detection rely on detecting N connection attempts (whether successful or not) in M seconds from a particular asset. The asset may be internal to the network, or may be an external asset that is attempting to or has gained access to the network. These algorithms work well for fast, noisy scanners. To avoid keeping too many tracking instantiations in the system, the duration M is usually in the order of seconds of minutes so that the security monitoring system does not need to track all sources for long periods of time (e.g., hours or even days). Another reason for maintaining an aggressive N/M ratio (i.e., high N, low M) is the sheer volume of “true positives” from fast-scans in many environments.
Thus, given the burst-like nature of the probing action, the relatively brief tracking time duration accomplishes dual goals—providing a time window that is long enough to detect probing attacks from an asset, and limiting the amount of memory and processing resources required to protect the network.
However, if the scanning by an attacking asset is intentionally slowed down to stealth levels (e.g., 3-4 probes over several hours), N/M thresholds for current scan detection algorithms are not triggered. For example, an unauthorized user may gain access to an asset on a company premises, and may manually seek out services on various ports for exploitation. The user, however, may issue the requests in a stealth manner, e.g., one or two requests every several hours. Likewise, a malicious agent may be installed on an asset and systematically seek out services on various ports for exploitation. The agent, however, may be programmed to issue the requests in the same stealth manner.